Import from Azure AD
Azure import allows you to import user data from an Azure Active Directory (IQ4docs must first be registered in Azure AD as an application, see also Registering IQ4docs as an App in Azure). Multiple Azure imports can be created for the same Azure AD, for example to use different filters and settings (e.g. one group of people gets pin codes, the other does not). Create an Azure import source as follows.
Open Web Administration
To open the web administration, enter http://<hostname>/webadmin in the web browser (where hostname corresponds to the server on which IQ4docs WebAdmin was installed).
Open User Import
In web administration, click on Users > User Import in the menu.
Create user import
Click Create User Import and select User Import from Azure AD.
User Import from Azure AD
During import, values are taken from the fields of the directory service. If a field is not specified, this value is not imported (the existing value in the user data record in IQ4docs is retained).
The attribute specification can contain a single attribute (e.g. Department) or multiple attributes or a fixed text. To set this value, enclose it in double quotes, for example: "\Servername\%department%\%surName% %givenName%" or "%surName%%givenName%".
General
| Field | Description |
|---|---|
| Name | Enter the display name to be used for displaying the import source in the import source list. |
| Execution interval | Enter the execution interval here. When set to Never, the execution must always be started manually. |
Azure AD settings
| Field | Description |
|---|---|
| Client Domain | Specify the customer domain that contains the users you want to import, e.g. company.com. |
| Client ID | The client ID is assigned by the Azure AD when registering the application IQ4docs (client ID and client secret are the credentials). They are used exclusively by UserService for importing user data and must contain the following permissions: read.user.all and read.groups.all, see also Registering IQ4docs as an App in Azure. |
| Client Secret | The client secret is generated - like the client ID - when registering IQ4docs in the Azure AD. Click Save Client Secret to enter a client secret. If you have already entered a client secret, you can change it using the Change Client Secret button. Once entered, the stored client secret is never transmitted to the browser again for security reasons. |
| User filter | By means of user filters, you can influence which user data records are read from the directory service. Set a filter that only reads the data record relevant for IQ4docs from the directory to minimize resources used for the automatic import. Examples: startswith(displayname, 'ma') (display name of the user must start with ma) startswith(userPrincipalName, 'm') and startswith(department, 'i') (Principal name of the user must start with m and the department with i) givenname eq 'ben' (first name must be ben) surname ne 'schmidt' or startswith(department, 'b') (Surname must not be schmidt or the department must start with b) |
| Group filter | You can use group filters to influence which groups are read from the directory service. Set a filter that only reads the groups relevant for IQ4docs from the directory to minimize resources used for the automatic import. The groups of a user are imported as user keywords by default. startswith(displayname, 'ma') (display name of the group must start with ma) displayname eq 'm' and startswith(description, 'abc') (display name of the group must start with m and the description with abc) If groups are excluded by this filter, they are also not available for any further use (e.g. assignment of rights based on group membership or keyword import). |
User Data
| Field | Description |
|---|---|
| Name | Attribute for the display name of the user (e.g. displayName). |
| Attribute for the user’s e-mail address. If the entry in the directory service is empty, the e-mail address in IQ4docs is removed (e.g. mail). | |
| Department | Attribute for importing a department for the user. If the department does not yet exist, it will be created (e.g. department). |
| Personal folder | Attribute for the user's personal folder (e.g.: "\Servername\%department%\%surName% %givenName%"). |
| Keywords | The names of the groups in which a user is a member are automatically imported as keywords. In this field you can restrict the names of the groups from which keywords are generated. Examples: * - All group names are imported as a keyword Print* - All group names starting with Print are imported as a keyword *IQ**doc - All group names containing IQ or ending in doc are imported as a keyword At this location, only those group names can be made into keywords that have been allowed by the group filter, see Import from Azure AD. |
Cost Center
| Field | Description |
|---|---|
| Display Name | Display name of the cost center - the user will see this name. |
| Cost Center | Field to import a cost center for the user. If the cost center does not yet exist, it will be created. |
| Keyword | Keywords can be generated automatically for the user during import. The value in the specified field is used as a keyword (this is always placed first in the user's keyword list). Additionally, group names in which the user is located can be used as keywords. |
Access cards
| Field | Description |
|---|---|
| Card Number | Attribute for the card number. If the attribute does not contain a value, this means that no card should be imported for this user, or that the card already imported for this user should be deleted (manually created cards are retained). The maximum number of access cards can be restricted, see Set number of registrable cards per user (meaning in this case that existing cards of the user can be automatically deleted by the import of a card). |
| Valid Until | Here you have the possibility of specifying an attribute the value of which indicates until when a card is to be valid. With Microsoft Active Directory, for example, you have the possibility of referencing the attribute accountExpires. However, you also have the possibility of selecting an attribute in which a date was manually entered. The format of the date must, however, correspond to the country settings of the server on which the UserService is installed. If the attribute has no value, the card never expires. If the entry in the directory service is empty, it is also cleared in IQ4docs. |
Login Data
| Field | Description |
|---|---|
| Login name | Attribute for the login name. The default value is sAMAccountName for Active Directory and userPrincipalName for Azure AD. If the entry in the directory service is empty, the existing value in IQ4docs is retained during the update. |
| Valid Until | Here you have the possibility of specifying an attribute the value of which indicates until when the login is to be valid. With Microsoft Active Directory, for example, you have the possibility of referencing the attribute accountExpires. However, you also have the possibility of selecting an attribute in which a date was manually entered. The format of the date must, however, correspond to the country settings of the server on which the Utility Service is installed. If the attribute has no value, the login never expires. If the entry in the directory service is empty, it is also cleared in IQ4docs. |
Pin code
| Field | Description |
|---|---|
| Pin code | The pin code can be imported from an attribute. This value then overwrites any existing pin code. If the entry in the directory service is empty, the user's pin code is removed. |
| Generate pin code | If the Generate Pin Code option is enabled, a new pin code is generated automatically for all users who do not yet have a pin code. All allowed characters are used randomly to generate the pin code, see Define complexity of pin codes). If a user already has a pin code, a new one is not generated automatically. |
Administrative identifier
| Field | Description |
|---|---|
| Administrative identifier | Specify the administrative identifier to be assigned to the user in the directory service in dependence on a group membership (see also Administrative identifiers). Example: If you enter Berlin in the first field and Group1 in the second field, the user is assigned the administrative identifier Berlin if he is a member of the Group1 group in the directory service. You can assign as many administrative identifiers as you like with  . However, a user can have only one administrative identifier. If a user is in more than one group, the administrative identifier of the last group is used. |
User-Defined Fields For Users
Specify the fields whose contents are to be imported into user-defined fields. User-defined fields are used during import just like other fields; see also Create Custom Fields For Users.
This area is only available if user-defined fields have already been defined for users.
User is allowed to...
The user rights listed in the table below can be set for each imported user (Yes), set for no user (No), imported depending on a group membership in the directory service, or managed manually.
Click the checkbox repeatedly until the desired state is reached:
- Yes: The right is set for each imported user.
- No: The right is not set for any imported user.
- Import Depending On A Group Membership: Then specify the name of the group in the AD group name field (e.g. PrintAdmins). If the user is in the specified group, the permission is set, if not, it is removed. Note that groups can be excluded via the group filter.
- Manage Manually: If you do not want to control the right via the import (but want to assign the right manually in the user data record of IQ4docs), do not specify a group name.
| Field | Description |
|---|---|
| Print in color | The user is able to print in color. |
| Copy in color | The user is able to copy in color. |
| Edit direct printer favorites yourself | The user can choose their own direct printer favorites in the WebClient, see Select favorites and direct printer. |
| Change system settings on device | If a user logs in to the device via the Embedded Client and this right is available, the user has administrative rights on the device (e.g. to make system settings on the device). The right is interpreted differently for each manufacturer/device, e.g. for Toshiba/OKI devices, when this right is set, all other rights are also set. |
| Use own address book | The user has the possibility to maintain their own address book via the WebClient and use the entries on the device, see My address book. Without this right, the My Address Book area is not visible in the WebClient. |
| Create own workflows | The user is permitted to derive and save a new workflow from an existing workflow on the device. Without this right the button is not visible. |
| Set workflow as favorite | The user is allowed to mark a workflow on the device as a favorite. Without this right the button is not visible. |
| Use device function | The user is allowed to leave the Embedded Client via the Copy menu > Device Function and use the device functions (menu of the device). Without this right the button is grayed out. |
| Show recent workflows | The user can call up recently executed workflows on the device from the Last Used area. Without this right, this area is empty. |
| Save Changes To Device | The user is allowed to save changes to the settings (e.g. language) permanently. Without this right, for example, the language can be changed temporarily, but after logging out, it is automatically reset to the default language. |
| See WebClient area "My scan jobs" | The user can view the Scan Jobs area in the WebClient (see My Scan Jobs). Scans with the My Web scan destination are displayed here (see also Scan destination My Web module). |
| See WebClient area "My Tasks" | The user can view the My Tasks area in the WebClient (see My Tasks). The documents of a document review are displayed here (see also Document review). |
| See WebClient area "Device Overview" | The user can see the Device Overview area in the WebClient (see Device overview). This page allows the setting of direct printers, among other things, and the printing method can be set (some functions must be authorized individually). |
| See WebClient area “Users" | The user can see the Users area in the WebClient (see User). On this page, you can authorize other areas individually (manage Microsoft account data (OneDrive), request a new pin code, change your password, manage your E-MailPrint addresses). |
| See WebClient area “Account statement" | The user can see the Account Statement area in the WebClient (see Account Statement). |
| See WebClient area "Process release" | The user can see the Process Release area in the WebClient (see Process approval). |
| Manage Microsoft account credentials (OneDrive) | The user can see the Microsoft Account Link (Office365/OneDrive etc.) area in the Users area and manage their account data (see User). |
| Generate new pin code | The user can see the Generate New Pin Code area in the Users area and request a new pin code generated automatically by the system (see User). |
| Change password | The user can see the Set New Password area in the Users area and change their password saved in IQ4docs (see User). |
| Manage own E-MailPrint addresses | The user can see the Address For E-Mail Print area in the Users area and store further e-mail addresses relevant for e-mail print (see User and E-MailPrint). |
Administrative rights
This section is used to define settings for the users who are to be IQ4docs administrators. Administrators can log in to WebAdmin and - according to their role - make changes to the system.
Roles
Roles can be assigned depending on group membership in the directory service, see also Role Management.
- Select the desired role from the drop-down list.
- Specify the group name (all members of this group are assigned the role).
- If several groups are to be assigned, click on
and then specify another role and group.
Restriction to the following administrative identifiers
If the administrator is only to have access to objects that are marked with an administrative identifier, you can also do this in dependence on a group membership, see also Administrative identifiers.
- Specify the administrative identifier.
- Specify the group name (all members of this group receive the administrative identifier).
- If multiple administrative identifiers are to be assigned, click and then specify another administrative identifier and a group.
Test user import
Before the import is executed, it should be tested to verify that the settings and the object filters output the expected users (for testing, the data do not need to be saved yet). To do this, open the Test area. A search is started immediately.
-
Maximum Number Of Records: By default, only the first 10 data records are displayed. You can set the Maximum Number of Data Records to 10, 100 or 1000.
-
Search: You can enter a search term to check whether desired records are in the set of the records to be imported.
-
Number Of Users: Number of users that match the search filter and would be imported in a real import run. This number is independent of the number set under Maximum Number Of Data Records.
-
Use
to reload the data and apply the set search filter.
The columns of the output list can be shown and hidden using the Columns button.
Perform an import
The import can be performed manually - independently of the automatic execution based on an interval. To do so, click 
Run in the list view for the desired import.